What cryptographic certifications does KeepKey’s MCU have?

We use the STM32F205RGT6 MCU from STMicroelectronics, and it has received certifications in FIPS PUB 140-2, and FIPS PUB 180-2.

Can my private key be removed from the KeepKey by a thief?
Your KeepKey uses a very limited protocol to communicate with the computers it is connected to. Private keys are never exposed in this protocol.

The micro-controller in KeepKey is set to highest level (2) of read protection, which is enabled during manufacturing. This prevents access to its flash memory (where private keys are stored) with externally attached debug tools. For additional security, PIN protection is offered during initialization. This prevents unauthorized users from reviewing balances and transacting on your KeepKey.

An optional passphrase can be used to encrypt your private keys, so even if the read protection feature of the micro-controller is circumvented, your private keys remain safe.

Can a reseller install modified firmware on a KeepKey I purchase, which later steals my bitcoins?
Although KeepKey supports custom firmware, any firmware that was not distributed officially by us will display a warning at boot time. If you see this warning and you did not upload custom firmware, you should immediately contact customer support.

How can I be sure that my KeepKey wasn’t tampered with before I received it?
We use tamper-resistant packaging, and we designed KeepKey so that it cannot be opened without breaking the security seal. All KeepKeys are tested, packaged, and shrink-wrapped in-house prior to shipment. Despite these precautions, however, we recommend that you purchase your KeepKey directly from us or one of our authorized resellers.

If someone finds my KeepKey recovery sentence backup, can they steal my bitcoins?
Anybody with access to your recovery sentence can regenerate your private keys, and therefore access your bitcoins. This means you should protect your recovery sentence and store it in a safe place.

If you use KeepKey’s advanced passphrase feature, even if a thief learns your recovery sentence, they will not be able to access your bitcoins without knowing the passphrase. You can also have multiple passphrases, making it even more difficult for thieves with your recovery sentence to gain access to your bitcoins.

Does KeepKey ship with pre-determined private keys?
KeepKey does not ship with any private keys. Before you can use your KeepKey, you must initialize it. During initialization, your privates keys will be generated using entropy provided by the computer client, combined with entropy generated by the KeepKey. This method ensures that KeepKey is generating unique and unpredictable private keys.

What prevents someone from stealing my KeepKey and spending my bitcoins?
Your KeepKey is PIN-protected. Should it fall into the wrong hands, the device is useless if the PIN is not known. KeepKey will also limit the PIN entry attempts, increasing the delay required between attempts on each failed PIN entry.

What happens if I lose my KeepKey?

As long as you have access to the recovery sentence you wrote down during initialization, you can recover your bitcoins on any wallet that supports BIP39 and BIP44. You can also recover your bitcoins on a new KeepKey: this method ensures you do not expose your private key off the device.

How can I be certain that the KeepKey is not secretly stealing or leaking my Bitcoin private keys?

KeepKey’s firmware is open source. We also provide tools to do reproducible builds of the firmware that match our released versions byte-for-byte. Therefore, you do not need to trust us that the firmware is doing what we say it does.

How is KeepKey able to be restored with a twelve-word recovery sentence without exposing the recovery sentence to the computer it is being entered on?

First, KeepKey displays a cipher to be used for entry, which reshuffles after each character is entered. After three or four characters, KeepKey will autocomplete the word being entered. When you see the word you are trying to enter autocompleted on KeepKey, you can continue on to the next word. The only information you leak to the computer KeepKey is connected to is if the word was finished being entered after either three or four characters. At a minimum, entering a twelve-word recovery sentence using KeepKey’s recovery process has a strength of 111 bits of entropy.